Email security in the health care industry

Encryption is a common sense measure and one of the simpler tactics to integrate into your toolbox

Data breaches are widespread today, and personal identifiable information (PII) – including protected health information (PHI) – is like pure gold to cybercriminals. That means now more than ever, health care organizations, financial institutions and legal enterprises that hold or store PII and PHI have to put pertinent practices in place to ensure their patients’ and clients’ records are secure and protected.

Regulatory bodies are increasingly making it mandatory to protect data through compliant standards, laws and regulations. Today, medical practices and companies are not only at risk of losing their good reputation if they experience a data breach, but can now face substantial fines or even lose important accreditations.

Email is an indispensable part of doing business in the health care field. In fact, patients are becoming more and more comfortable with emailing their physician’s office to schedule an appointment, discuss laboratory results or request refills on medication.

The challenge is that email by default is not encrypted, as it traverses numerous networks and hops across the Internet while in transit from sender to recipient. Along the way, that means someone could potentially read and capture the information or alter the contents of the email after it’s been sent. Encrypting the email is the only way to prevent this from happening.

Today, if a health care organization uses email to communicate with patients and other parties, it is required under the Health Insurance Portability and Accountability Act (HIPPA) to safeguard that information. In 2010, HIPPA rules were further enhanced so that a breach can result in significant penalties.

Email encryption is a common sense measure and one of the simpler tactics to integrate into your IT security toolbox.

These solutions scan outbound emails for any type of PHI or other sensitive information and automatically enforce encryption.

Alternatively, the sender may select to encrypt the email using a number of methods, including a simple subject line title. The email recipient will then receive an email simply notifying them that they have a secured email and provide a link to access a secure portal from which they can then retrieve the full email message. With a dedicated secure email portal, the recipient can also send back a secured email to your organization.

As the cybercrime threat to the health care industry continues to emerge, the IT systems of hospitals, private practices and other organizations are under scrutiny for failures and inadequate controls. More than ever, medical practices have to know where sensitive data resides on their networks and control access to it. Email presents an opportunity for hackers to get in and encryption is one way to close the door on them.

Zix Corp., an email encryption provider, has an application known as ZixOne that can easily be installed and operated on smartphones, providing the end user with a secure way to access work emails and calendars. Zix, installed on company computers and laptops, allows senders to ship encrypted emails by simply utilizing a specific, easy-to-remember subject line. The solution is used by one in every five U.S. hospitals and more than 30 Blue Cross Blue Shield organizations.

Encrypted emails may not be the end-all, be-all to invincible security, but it is a way to keep cybercriminals from accessing secure and private information. It is an essential component of today’s security landscape and should be a part of any health care institutions’ defense-in-depth approach to layered security. The choice is not whether you should implement email encryption services, but rather how to implement them.

Mark Benton, a product manager at Maine-based Systems Engineering and an active board member of the University of Maine Cyber Security Cluster, can be reached 603-226-0300 or through